Skip directly to content

Feed aggregator

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 17:38
Description

OG Tabs modules provides a secondary menu with links to nodes of the same OG group.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes posted in an Organic Groups group.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • OG Tabs 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed OG tabs module, there is nothing you need to do.

Solution

Install the latest version:

Also see the OG tabs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:53
Description

Image Title module allows you to upload an image and use it as a node title.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must allowed to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Image Title 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Image Title module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Image Title project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-075 - Perfecto - Open Redirect

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:51
Description

The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page.

The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Perfecto 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Perfecto module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Perfecto project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/11/2015 - 16:47
Description

Site Documentation module enables you to display detailed configuration information.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Site Documentation 6.x-1.x versions prior to 6.x-1.5.

Drupal core is not affected. If you do not use the contributed Site Documentation module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Site Documentation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 18:12
Description

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have the "Administer Trick Question" permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Trick Question 6.x-1.x versions prior to 6.x-1.5
  • Trick Question 7.x-1.x versions prior to 7.x-1.5

Drupal core is not affected. If you do not use the contributed Trick Question module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Trick Question project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 17:57
Description

This module enables you to use Ogone (Ingenico) as a payment method for Drupal Commerce.

Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though no payment was processed.

The vulnerability is mitigated by the fact that the balance to be paid on affected orders remains the full amount, and no payment transaction is linked to the order.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Commerce Ogone 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Commerce Ogone module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce Ogone project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 17:30
Description

This module enables you to add a block to allow visitors to subscribe to a site's newsletter.

The module failed to sanitize some block content, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Simple Subscription 6.x-1.x versions prior to 6.x-1.1.
  • Simple Subscription 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Simple Subscription module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Simple Subscription module for Drupal 6.x, upgrade to Simple Subscription 6.x-1.1
  • If you use the Simple Subscription module in branch 7.x-1.x for Drupal 7.x, upgrade to Simple Subscription 7.x-1.1
  • If you use the Simple Subscription module in branch 7.x-2.x for Drupal 7.x, there is nothing to do, this branch is secure

Also see the Simple Subscription project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Michael Hess of the Drupal Security Team
  • Matt Vance provisional member of the Drupal Security Team
  • Aaron Ott provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:49
Description

The Mover modules provide the ability to move content between Drupal sites.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mover 6.x-1.0

Drupal core is not affected. If you do not use the contributed Mover module, there is nothing you need to do.

Solution

If you use the Mover module you should uninstall it.

Also see the Mover project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:46
Description

Taxonomy Accordion module creates a block for each taxonomy vocabularies.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a user allowed to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Taxonomy Accordion module

Drupal core is not affected. If you do not use the contributed Taxonomy Accordion module, there is nothing you need to do.

Solution

If you use the Taxonomy Accordion module you should uninstall it.

Also see the Taxonomy Accordion project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:44
Description

Campaign Monitor module integrates the Campaign Monitor API into Drupal.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Campaign Monitor 7.x-1.0

Drupal core is not affected. If you do not use the contributed Campaign Monitor module, there is nothing you need to do.

Solution

If you use the Campaign Monitor module for Drupal 7 you should uninstall it.

Also see the Campaign Monitor project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-067 - Finder - Open Redirect - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:41
Description

Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes.

The provided function finder_form_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Finder module

Drupal core is not affected. If you do not use the contributed Finder module, there is nothing you need to do.

Solution

If you use the Finder module you should uninstall it.

Also see the Finder project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:39
Description

Tracking Code module allows you to create tracking code snippets and control their visibility.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Tracking Code module

Drupal core is not affected. If you do not use the contributed Tracking Code module, there is nothing you need to do.

Solution

If you use the Tracking Code module you should uninstall it.

Also see the Tracking Code project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities - Unsupported

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:35
Description

Registration codes module allows new account registrations only for users who provide a valid registration code.

The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities.

Additionally, some URLs were not protected against CSRF, a malicious user can cause an administrator to delete rules by getting their browser to make a request to a specially-crafted URL.

The XSS vulnerabilities may be mitigated by the fact that an attacker must have a user allowed to create/edit taxonomy terms or nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Registration codes

Drupal core is not affected. If you do not use the contributed Registration codes module, there is nothing you need to do.

Solution

If you use the Registration codes module you should uninstall it.

Also see the Registration codes project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:29
Description

Ubercart Discount Coupons module provides discount coupons for Ubercart stores.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

The vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit taxonomy terms. Note that for vocabularies with free tagging enabled, this includes any user with permission to add/edit content of a type to which the vocabulary applies.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Ubercart Discount Coupons 6.x-1.x versions prior to 6.x-1.8

Drupal core is not affected. If you do not use the contributed Ubercart Discount Coupons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Ubercart Discount Coupons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 03/04/2015 - 16:22
Description

Webform enables you to create surveys, personalized contact forms, contests, and the like.

Cross Site Scripting Related to Webform Submissions

The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch only.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform's results table tab.

To mitigate this vulnerability, you can disable the view-based results table and restore the legacy hard-coded results table by adding this line to your settings.php file:

<?php
 $conf['webform_table'] = TRUE;
?> Cross Site Scripting Related to Blocks

The module doesn't sufficiently escape node titles of webforms which administrators may make available as blocks and displayed to any user. This issue affects all 6.x and 7.x branches of the module.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • webform 6.x versions prior to 6.x-3.22.
  • webform 7.x-3.x versions prior to 7.x-3.22.
  • webform 7.x-4.x versions prior to 7.x-4.4.

Drupal core is not affected. If you do not use the contributed Webform module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:33
Description

Watchdog Aggregator collects watchdog messages from external sites.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Watchdog Aggregator module.

Drupal core is not affected. If you do not use the contributed Watchdog Aggregator module, there is nothing you need to do.

Solution

If you use the Watchdog Aggregator module you should uninstall it.

Also see the Watchdog Aggregator project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:31
Description

Ubercart Webform Integration module integrates Webform and Ubercart modules.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Ubercart Webform Integration module.

Drupal core is not affected. If you do not use the contributed Ubercart Webform Integration module, there is nothing you need to do.

Solution

If you use the Ubercart Webform Integration module you should uninstall it.

Also see the Ubercart Webform Integration project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:28
Description

The Custom Sitemap module enables you to add custom sitemaps to a site.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Custom Sitemap module.

Drupal core is not affected. If you do not use the contributed Custom Sitemap module, there is nothing you need to do.

Solution

If you use the Custom Sitemap module you should uninstall it.

Also see the Custom Sitemap project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:25
Description

Spider Video Player module enables you to add HTML5 and Flash videos to your site.

The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that the attacker must have a role with the permission "access Spider Video Player administration".

Additionally, the module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting videos by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Video Player module.

Drupal core is not affected. If you do not use the contributed Spider Video Player module, there is nothing you need to do.

Solution

If you use the Spider Video Player module you should uninstall it.

Also see the Spider Video Player project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 16:22
Description

Spider Catalog module enables you to build product catalogs.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Spider Catalog module.

Drupal core is not affected. If you do not use the contributed Spider Catalog module, there is nothing you need to do.

Solution

If you use the Spider Catalog module you should uninstall it.

Also see the Spider Catalog project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages